Obligations to EU residents

2. Do our clients need to obtain permission to input this personal information first?
3. Do we need to purge any historical data about EU residents from our database if we do not know how the information was collected?

Answers:

1. From the beginning it is important to know that GDPR is applicable to your company because you are monitoring individuals who’s behavior takes place within the European Union. As your company is collecting the data and decides what data is to be collected this makes it a controller. It should notify the EU residents from it’s data base that is processing their personal data as per the requirements of EU GDPR article 14 - “Information to be provided where personal data have not been obtained from the data subject” (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/)
2. Your client acts as a controller as well and should notif y the EU Residents that he is processing their personal data and also to communicate them the source of the data (which in this case is you). See art. 14 from the EU GDPR – “Information to be provided where personal data have not been obtained from the data subject” (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/ )
3. According to GDPR you can not process personal data unless you have a legal ground. If you can not rely on a legal ground than your processing activity may be unlawful. In conclusion, if you can not prove that your personal data was collected legally, than you should erase it.

To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course//